infiniband syz1: set down infiniband syz1: added xfrm0 ====================================================== WARNING: possible circular locking dependency detected syzkaller #0 Not tainted ------------------------------------------------------ syz.1.1876/12697 is trying to acquire lock: ffffffff8ea5eb20 (pcpu_alloc_mutex){+.+.}-{4:4}, at: pcpu_alloc_noprof+0x231/0x1900 mm/percpu.c:1788 but task is already holding lock: ffffffff8e7f6cc0 (wq_pool_mutex){+.+.}-{4:4}, at: __alloc_workqueue+0xa9c/0x2060 kernel/workqueue.c:5895 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #9 (wq_pool_mutex){+.+.}-{4:4}: __mutex_lock_common kernel/locking/mutex.c:646 [inline] __mutex_lock+0x19d/0x1550 kernel/locking/mutex.c:821 __alloc_workqueue+0xa9c/0x2060 kernel/workqueue.c:5895 alloc_workqueue_va kernel/workqueue.c:5946 [inline] alloc_workqueue_noprof+0xe3/0x210 kernel/workqueue.c:5962 padata_alloc+0xbe/0x360 kernel/padata.c:964 pcrypt_init_padata+0x27/0x100 crypto/pcrypt.c:335 pcrypt_init+0x60/0xc0 crypto/pcrypt.c:360 do_one_initcall+0x250/0x870 init/main.c:1347 do_initcall_level+0x10a/0x1a0 init/main.c:1409 do_initcalls+0x59/0xa0 init/main.c:1425 kernel_init_freeable+0x29d/0x3e0 init/main.c:1658 kernel_init+0x1d/0x1d0 init/main.c:1548 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 -> #8 (cpu_hotplug_lock){++++}-{0:0}: percpu_down_read_internal include/linux/percpu-rwsem.h:53 [inline] percpu_down_read include/linux/percpu-rwsem.h:77 [inline] cpus_read_lock+0x42/0x160 kernel/cpu.c:490 static_key_slow_inc+0x12/0x30 kernel/jump_label.c:190 udp_tunnel_encap_enable include/net/udp_tunnel.h:232 [inline] setup_udp_tunnel_sock+0x2df/0x4f0 net/ipv4/udp_tunnel_core.c:90 l2tp_tunnel_register+0xe77/0x1570 net/l2tp/l2tp_core.c:1687 pppol2tp_tunnel_get net/l2tp/l2tp_ppp.c:663 [inline] pppol2tp_connect+0x8e3/0x18b0 net/l2tp/l2tp_ppp.c:711 __sys_connect_file net/socket.c:2135 [inline] __sys_connect+0x323/0x460 net/socket.c:2154 __do_sys_connect net/socket.c:2160 [inline] __se_sys_connect net/socket.c:2157 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2157 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #7 (sk_lock-AF_INET6){+.+.}-{0:0}: lock_sock_nested+0x41/0x100 net/core/sock.c:3825 lock_sock include/net/sock.h:1713 [inline] inet_shutdown+0x6a/0x390 net/ipv4/af_inet.c:913 nbd_mark_nsock_dead+0x2cb/0x550 drivers/block/nbd.c:318 recv_work+0x1cee/0x1e10 drivers/block/nbd.c:1021 process_one_work kernel/workqueue.c:3322 [inline] process_scheduled_works+0xa8e/0x14e0 kernel/workqueue.c:3405 worker_thread+0xa47/0xfb0 kernel/workqueue.c:3486 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 -> #6 (&nsock->tx_lock){+.+.}-{4:4}: __mutex_lock_common kernel/locking/mutex.c:646 [inline] __mutex_lock+0x19d/0x1550 kernel/locking/mutex.c:821 nbd_handle_cmd drivers/block/nbd.c:1143 [inline] nbd_queue_rq+0x373/0x1150 drivers/block/nbd.c:1207 blk_mq_dispatch_rq_list+0x499/0x1990 block/blk-mq.c:2117 __blk_mq_do_dispatch_sched block/blk-mq-sched.c:168 [inline] blk_mq_do_dispatch_sched block/blk-mq-sched.c:182 [inline] __blk_mq_sched_dispatch_requests+0xd36/0x1580 block/blk-mq-sched.c:307 blk_mq_sched_dispatch_requests+0xd7/0x190 block/blk-mq-sched.c:329 blk_mq_run_work_fn+0x16c/0x300 block/blk-mq.c:2532 process_one_work kernel/workqueue.c:3322 [inline] process_scheduled_works+0xa8e/0x14e0 kernel/workqueue.c:3405 worker_thread+0xa47/0xfb0 kernel/workqueue.c:3486 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 -> #5 (&cmd->lock){+.+.}-{4:4}: __mutex_lock_common kernel/locking/mutex.c:646 [inline] __mutex_lock+0x19d/0x1550 kernel/locking/mutex.c:821 nbd_queue_rq+0xc1/0x1150 drivers/block/nbd.c:1199 blk_mq_dispatch_rq_list+0x499/0x1990 block/blk-mq.c:2117 __blk_mq_do_dispatch_sched block/blk-mq-sched.c:168 [inline] blk_mq_do_dispatch_sched block/blk-mq-sched.c:182 [inline] __blk_mq_sched_dispatch_requests+0xd36/0x1580 block/blk-mq-sched.c:307 blk_mq_sched_dispatch_requests+0xd7/0x190 block/blk-mq-sched.c:329 blk_mq_run_work_fn+0x16c/0x300 block/blk-mq.c:2532 process_one_work kernel/workqueue.c:3322 [inline] process_scheduled_works+0xa8e/0x14e0 kernel/workqueue.c:3405 worker_thread+0xa47/0xfb0 kernel/workqueue.c:3486 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 -> #4 (set->srcu){.+.+}-{0:0}: srcu_lock_sync include/linux/srcu.h:199 [inline] __synchronize_srcu+0xc9/0x2f0 kernel/rcu/srcutree.c:1481 elevator_switch+0x1e8/0x7b0 block/elevator.c:576 elevator_change+0x2fa/0x480 block/elevator.c:681 elevator_set_default+0x375/0x440 block/elevator.c:754 blk_register_queue+0x3f3/0x4e0 block/blk-sysfs.c:992 __add_disk+0x6cb/0xe30 block/genhd.c:528 add_disk_fwnode+0xfb/0x4b0 block/genhd.c:597 add_disk include/linux/blkdev.h:800 [inline] nbd_dev_add+0x733/0xb60 drivers/block/nbd.c:2021 nbd_init+0x15f/0x1e0 drivers/block/nbd.c:2729 do_one_initcall+0x250/0x870 init/main.c:1347 do_initcall_level+0x10a/0x1a0 init/main.c:1409 do_initcalls+0x59/0xa0 init/main.c:1425 kernel_init_freeable+0x29d/0x3e0 init/main.c:1658 kernel_init+0x1d/0x1d0 init/main.c:1548 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 -> #3 (&q->elevator_lock){+.+.}-{4:4}: __mutex_lock_common kernel/locking/mutex.c:646 [inline] __mutex_lock+0x19d/0x1550 kernel/locking/mutex.c:821 elevator_change+0x1af/0x480 block/elevator.c:679 elevator_set_none+0xb5/0x140 block/elevator.c:769 blk_mq_elv_switch_none block/blk-mq.c:5101 [inline] __blk_mq_update_nr_hw_queues block/blk-mq.c:5146 [inline] blk_mq_update_nr_hw_queues+0x5ef/0x19f0 block/blk-mq.c:5211 nbd_start_device+0x189/0xb30 drivers/block/nbd.c:1526 nbd_genl_connect+0x1597/0x1c10 drivers/block/nbd.c:2276 genl_family_rcv_msg_doit+0x233/0x340 net/netlink/genetlink.c:1114 genl_family_rcv_msg net/netlink/genetlink.c:1194 [inline] genl_rcv_msg+0x614/0x7a0 net/netlink/genetlink.c:1209 netlink_rcv_skb+0x226/0x4a0 net/netlink/af_netlink.c:2556 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1218 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x7bb/0x940 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1900 sock_sendmsg_nosec+0x13a/0x180 net/socket.c:775 __sock_sendmsg net/socket.c:790 [inline] ____sys_sendmsg+0x54e/0x850 net/socket.c:2684 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2738 __sys_sendmsg net/socket.c:2770 [inline] __do_sys_sendmsg net/socket.c:2775 [inline] __se_sys_sendmsg net/socket.c:2773 [inline] __x64_sys_sendmsg+0x1b1/0x290 net/socket.c:2773 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #2 (&q->q_usage_counter(io)#50){++++}-{0:0}: blk_alloc_queue+0x544/0x690 block/blk-core.c:504 blk_mq_alloc_queue block/blk-mq.c:4420 [inline] __blk_mq_alloc_disk+0x194/0x390 block/blk-mq.c:4467 nbd_dev_add+0x494/0xb60 drivers/block/nbd.c:1991 nbd_init+0x15f/0x1e0 drivers/block/nbd.c:2729 do_one_initcall+0x250/0x870 init/main.c:1347 do_initcall_level+0x10a/0x1a0 init/main.c:1409 do_initcalls+0x59/0xa0 init/main.c:1425 kernel_init_freeable+0x29d/0x3e0 init/main.c:1658 kernel_init+0x1d/0x1d0 init/main.c:1548 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 -> #1 (fs_reclaim){+.+.}-{0:0}: __fs_reclaim_acquire mm/page_alloc.c:4329 [inline] fs_reclaim_acquire+0x71/0x100 mm/page_alloc.c:4343 might_alloc include/linux/sched/mm.h:317 [inline] prepare_alloc_pages+0x15b/0x650 mm/page_alloc.c:5048 __alloc_frozen_pages_noprof+0x12f/0x380 mm/page_alloc.c:5293 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5338 __alloc_pages_node_noprof include/linux/gfp.h:291 [inline] alloc_pages_node_noprof include/linux/gfp.h:318 [inline] pcpu_alloc_pages mm/percpu-vm.c:95 [inline] pcpu_populate_chunk+0x181/0xb30 mm/percpu-vm.c:285 pcpu_alloc_noprof+0xbca/0x1900 mm/percpu.c:1876 bpf_map_alloc_percpu+0x65/0x180 kernel/bpf/syscall.c:584 bpf_array_alloc_percpu kernel/bpf/arraymap.c:39 [inline] array_map_alloc+0x377/0x710 kernel/bpf/arraymap.c:153 map_create_alloc kernel/bpf/syscall.c:1523 [inline] map_create+0xf2a/0x1b90 kernel/bpf/syscall.c:1640 __sys_bpf+0xaea/0xd90 kernel/bpf/syscall.c:6395 __do_sys_bpf kernel/bpf/syscall.c:6537 [inline] __se_sys_bpf kernel/bpf/syscall.c:6534 [inline] __x64_sys_bpf+0xba/0xd0 kernel/bpf/syscall.c:6534 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (pcpu_alloc_mutex){+.+.}-{4:4}: check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain kernel/locking/lockdep.c:3908 [inline] __lock_acquire+0x1520/0x2cf0 kernel/locking/lockdep.c:5237 lock_acquire+0x106/0x350 kernel/locking/lockdep.c:5868 __mutex_lock_common kernel/locking/mutex.c:646 [inline] __mutex_lock+0x19d/0x1550 kernel/locking/mutex.c:821 pcpu_alloc_noprof+0x231/0x1900 mm/percpu.c:1788 alloc_and_link_pwqs kernel/workqueue.c:5609 [inline] __alloc_workqueue+0xb2c/0x2060 kernel/workqueue.c:5897 alloc_workqueue_va kernel/workqueue.c:5946 [inline] alloc_workqueue_noprof+0xe3/0x210 kernel/workqueue.c:5962 ib_mad_port_open drivers/infiniband/core/mad.c:3252 [inline] ib_mad_init_device+0x993/0x2150 drivers/infiniband/core/mad.c:3339 add_client_context+0x37c/0x7b0 drivers/infiniband/core/device.c:732 enable_device_and_get+0x19c/0x3e0 drivers/infiniband/core/device.c:1341 ib_register_device+0x10af/0x1380 drivers/infiniband/core/device.c:1468 rxe_register_device+0x1e3/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1543 rxe_net_add+0x81/0x110 drivers/infiniband/sw/rxe/rxe_net.c:625 rxe_newlink+0xf4/0x1c0 drivers/infiniband/sw/rxe/rxe.c:243 nldev_newlink+0x5bc/0x650 drivers/infiniband/core/nldev.c:1816 rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline] rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0x6ef/0xa40 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x7bb/0x940 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1900 sock_sendmsg_nosec+0x13a/0x180 net/socket.c:775 __sock_sendmsg net/socket.c:790 [inline] ____sys_sendmsg+0x54e/0x850 net/socket.c:2684 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2738 __sys_sendmsg net/socket.c:2770 [inline] __do_sys_sendmsg net/socket.c:2775 [inline] __se_sys_sendmsg net/socket.c:2773 [inline] __x64_sys_sendmsg+0x1b1/0x290 net/socket.c:2773 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Chain exists of: pcpu_alloc_mutex --> cpu_hotplug_lock --> wq_pool_mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(wq_pool_mutex); lock(cpu_hotplug_lock); lock(wq_pool_mutex); lock(pcpu_alloc_mutex); *** DEADLOCK *** 6 locks held by syz.1.1876/12697: #0: ffffffff9a852ea8 (&rdma_nl_types[idx].sem){.+.+}-{4:4}, at: rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:164 [inline] #0: ffffffff9a852ea8 (&rdma_nl_types[idx].sem){.+.+}-{4:4}, at: rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] #0: ffffffff9a852ea8 (&rdma_nl_types[idx].sem){.+.+}-{4:4}, at: rdma_nl_rcv+0x33d/0xa40 drivers/infiniband/core/netlink.c:259 #1: ffffffff8fb49908 (link_ops_rwsem){++++}-{4:4}, at: nldev_newlink+0x429/0x650 drivers/infiniband/core/nldev.c:1806 #2: ffffffff8fb3ade8 (devices_rwsem){++++}-{4:4}, at: enable_device_and_get+0xff/0x3e0 drivers/infiniband/core/device.c:1331 #3: ffffffff8fb3b0e8 (clients_rwsem){++++}-{4:4}, at: enable_device_and_get+0x165/0x3e0 drivers/infiniband/core/device.c:1339 #4: ffff888021f90620 (&device->client_data_rwsem){++++}-{4:4}, at: add_client_context+0x33e/0x7b0 drivers/infiniband/core/device.c:730 #5: ffffffff8e7f6cc0 (wq_pool_mutex){+.+.}-{4:4}, at: __alloc_workqueue+0xa9c/0x2060 kernel/workqueue.c:5895 stack backtrace: CPU: 1 UID: 0 PID: 12697 Comm: syz.1.1876 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_circular_bug+0x2e1/0x300 kernel/locking/lockdep.c:2043 check_noncircular+0x12e/0x150 kernel/locking/lockdep.c:2175 check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain kernel/locking/lockdep.c:3908 [inline] __lock_acquire+0x1520/0x2cf0 kernel/locking/lockdep.c:5237 lock_acquire+0x106/0x350 kernel/locking/lockdep.c:5868 __mutex_lock_common kernel/locking/mutex.c:646 [inline] __mutex_lock+0x19d/0x1550 kernel/locking/mutex.c:821 pcpu_alloc_noprof+0x231/0x1900 mm/percpu.c:1788 alloc_and_link_pwqs kernel/workqueue.c:5609 [inline] __alloc_workqueue+0xb2c/0x2060 kernel/workqueue.c:5897 alloc_workqueue_va kernel/workqueue.c:5946 [inline] alloc_workqueue_noprof+0xe3/0x210 kernel/workqueue.c:5962 ib_mad_port_open drivers/infiniband/core/mad.c:3252 [inline] ib_mad_init_device+0x993/0x2150 drivers/infiniband/core/mad.c:3339 add_client_context+0x37c/0x7b0 drivers/infiniband/core/device.c:732 enable_device_and_get+0x19c/0x3e0 drivers/infiniband/core/device.c:1341 ib_register_device+0x10af/0x1380 drivers/infiniband/core/device.c:1468 rxe_register_device+0x1e3/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1543 rxe_net_add+0x81/0x110 drivers/infiniband/sw/rxe/rxe_net.c:625 rxe_newlink+0xf4/0x1c0 drivers/infiniband/sw/rxe/rxe.c:243 nldev_newlink+0x5bc/0x650 drivers/infiniband/core/nldev.c:1816 rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline] rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0x6ef/0xa40 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x7bb/0x940 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1900 sock_sendmsg_nosec+0x13a/0x180 net/socket.c:775 __sock_sendmsg net/socket.c:790 [inline] ____sys_sendmsg+0x54e/0x850 net/socket.c:2684 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2738 __sys_sendmsg net/socket.c:2770 [inline] __do_sys_sendmsg net/socket.c:2775 [inline] __se_sys_sendmsg net/socket.c:2773 [inline] __x64_sys_sendmsg+0x1b1/0x290 net/socket.c:2773 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fda0e39ce59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fda0f214028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fda0e615fa0 RCX: 00007fda0e39ce59 RDX: 0000000000004000 RSI: 0000200000000180 RDI: 0000000000000003 RBP: 00007fda0e432e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fda0e616038 R14: 00007fda0e615fa0 R15: 00007ffed81c8a38 workqueue: Failed to create a rescuer kthread for wq "ib_mad1": -EINTR infiniband syz1: Couldn't open port 1 smbdirect: ib_dev[syz1]: added: IB_CA max_fast_reg_page_list_len=512 device_cap_flags=0x1c001223c76 kernel_cap_flags=0x14 page_size_cap=0xfffff000 smbdirect: ib_dev[syz1]: num_ports=1 max_qp_rd_atom=128 max_qp_init_rd_atom=128 max_sgl_rd=0 max_sge_rd=32 max_cqe=32767 max_qp_wr=1048576 max_send_sge=32 max_recv_sge=32 smbdirect: ib_dev[syz1]PORT[1]: iwarp=0 ib=0 roce=1 v1=0 v2=1 core_cap_flags=0x803005 RDS/IB: syz1: added smc: adding ib device syz1 with port count 1 smc: ib device syz1 port 1 has no pnetid xfrm0 speed is unknown, defaulting to 1000 xfrm0 speed is unknown, defaulting to 1000 xfrm0 speed is unknown, defaulting to 1000 xfrm0 speed is unknown, defaulting to 1000 xfrm0 speed is unknown, defaulting to 1000